Skip to main content

I know something that isn't two-factor authentication

William Edwards wrote a post entitled "I know someone whose 2-factor phone authentication was hacked…" about a friend whose bank account was drained by fraudsters. His bank relied on a dial-back system. The attackers social-engineered BT to re-route the phone calls. This attack is eerily similar to the recent attack on Cloudflare, which started with an attack on an AT&T account.

I agree with almost everything in the post, except this: a dial-back verification systems is not two-factor authentication. It's been clear to me that the term "two-factor authentication" is showing its age. In many ways I prefer the term "strong authentication" because it implies that you are increasing the strength around authentication. And it leads us to this:

In order for an authentication mechanism to be considered strong, it must rely upon cryptographic proof of possession of the authentication factors.

There is no cryptography in a dial-back system. There is no provable encryption in SMS. These systems may be better than a static password, but they are not strong!

If your authentication system falls back to a system that doesn't rely on secure systems, then it is not strong. It's the old cliché about weakest links.

Current rating: 1

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom